Monday, March 12, 2012

Could social networks revolutionize security? Seven degrees of "I trust you."

In the very first thought piece I wrote for, I discussed the idea that all the talk, all the hype about social networks online really came down to community--how the internet has made possible communities of shared interest.  Later, I compared the idea of online communities to the small village, and how pretty much everything we do in business, commerce, and personal lives includes some attempt to overcome the fact that our worlds are no longer defined by our respective villages.

We’ve also looked a lot at “the era of you,” about the  explosion of connectivity, social interaction, consumer-added value, and the ever-growing network of things.  You can now know more, in more places, and greatly personalize your interactions with each other, with your employer and colleagues, and with businesses.

In other articles, I’ve shared the concept of technology triggers, the idea that developments in two or more unrelated tech areas can trigger the emergence of a new technology or new business model.  For instance, digitization of music plus broadband networks = billion-dollar+ markets for Amazon and iTunes.  

Today, I’d like to extend all  of these concepts, and make a prediction:

Online security could be revolutionized by applying social tools to authentication. In addition to “what you have” and “what you know,” technology will let us reintroduce the most basic small village security concepts of all: “I know you,” and “I know who you know, and because I trust them, I trust you.”

The “seven degrees of separation” meme is well known, and all of us have experienced that small-world moment when we’ve discovered a friend or colleague in common with someone totally unexpected.  “Who do we both know” is something Facebook has used to great advantage; when you receive a friend request or look up someone’s profile, it tells you what friends you have in common.  For me, that’s the first thing I check: “are there a lot of them?  Who do I know in person I could ask about this stranger who wants to know me?”  

Authentication is everything. 

Take that question just a bit farther, and it’s easy to see that there is a taxonomy of relationships.  It started in the village model, “I do business with you and we have a history together.”  What are the determiners of confidence in “I know you?”

  • Proximity--Is the association real (have met in person) or virtual (from online?) In-person does not automatically guarantee trustworthiness, there are people I have met casually once or twice, and I do not trust them nearly as much as some online friends I share many trusted friends with.  
  • Role--what is the nature of the connection?  Friendship? Work? Client or Customer? Vendor? Famiy?
  • Length of association--How long has this association existed?
  • Shared communities--community affinity can predict areas that might match the authentication need.  For instance, if you’re considering going on a date with a new connection, shared friends would be important. If you’re considering voting for them, shared political involvement would be a key.
  • Shared associations--If you and I work for the same employer, but are not connected otherwise, your connection to a mutual colleague could be more significant than your connection to a contractor for my home.
  • Degree of personal contact--how many degrees of separation are there?  Are you a friend of a friend?  Note how LinkedIn uses social proximity in their 1st/2nd/3rd degree connection model.
  • Frequency of association--for instance, if you see me on Facebook through a mutual friend, and send me a note with the friend request, “I’m the guy who rides in the same Metra car with you every day on the commute into Chicago,” that adds social depth to the likelihood of trustworthiness.  If I’ve used this credit card at your business 50 times in the last year with no problem, chances are high that this transaction will have no problem either.

How would it work?

Let’s take the simplest example, one that Facebook should offer today, but doesn’t.  Let’s say I have 100 friends.  John, with 500 friends, sends me a friend request, and we have 20 friends in common.  So, "friends in common" is 20% of my friends list, and 4% of John's friend list.  Shared numbers as an absolute are helpful, but the chance that his 4% will be as important as my 20% is lower.  Derive an index number by dividing 20 by 4 = 5.  If John also had 100 friends--20% shared--the index would be 1.  Now we have useful information; a higher percentage of shared friends tells me the chances are greater I’d want to be friends with the stranger who is saying hello.  

That’s social authentication, and as this example shows, it can be turned into metrics, which in turn can be used to predict the likelihood of trust.

In the Facebook example, it wouldn’t take much history of managing a friends list to get a sense for what index number is the threshold for those you want to add, at least in the absence of other information, such as an introductory letter.  

The result: the social trust index

As we develop indexes for each of the taxonomy areas, we can move to situational comparisons of trust threshold, and we can compare them across many instances of different people and situations to give a very useful complement to online and in-person authentication.  To sign in to online banking, you might need a social trust index no higher than 2.5.  To buy a latte at Starbucks, maybe a 6.  Starbucks would quickly amass average social trust metrics for their huge client base, and dynamically know on the spot whether a transaction were legitimate.

These numbers are purely arbitrary, the point is to demonstrate the value of social authentication.  Remember, the social trust index is not a fixed number like your FICO score, it changes based on your current location, role, purpose, and intent, and as your social connections evolve over time.

So, why could this be revolutionary?

This is the technology triggers model in action: take two or more things that are and extrapolate something that might be.  Social authentication will be a vital part of the future in which the digital personal assistant (DPA) will play such an important role, and it adds to the business opportunity for the company that gets there first.  Take the “what might be” out to a logical--and possible--conclusion, and you have a computer intelligence with you at all times, helping you manage your interactions with the world, using those interactions to constantly prove you are who you say, you have community associations to back that up, and you are recognized wherever you go.  

If I can sit here at and envision this future, can there be any doubt that teams from companies like Apple, Google, and Microsoft have not done the same?

I think the biggest potential benefit to social-based authentication is just how hard it would be to falsify, to game the system.  Think of the current means of security:  something you have can be stolen, or falsified.  Something you know can be guessed, stolen, maybe just looked up by picking up the keyboard in your office and looking underneath it for the passwords on the sticky note.

But the permutations of who you know are so vast, and span so many aspects of your life, the trust index that could be generated from the taxonomy above would be nearly impossible to defeat.  Security is never a game of certainty, it’s a game of odds. You do what’s possible to know you’re giving trust to the right person, and you accept a certain level of risk.  Social authentication represents a very significant way to minimize that risk, and apply the metaphor of village life to security in a tech-enabled world.  Passwords?  Keys?  "Who goes there?" "It's ME!" "Well, come on in!"

No comments:

Post a Comment